Managing Audit Records

By managing the audit trail, you can monitor the actions of users on
your network. Auditing can generate large amounts of data. The following tasks
show you how to work with all this data.

How to Display Audit Record Formats

To write scripts that can find the audit data that you want, you need
to know the order of tokens in an audit event. The auditrecord command displays
the audit event number, audit class, selection mask, and record format of
an audit event.

Put the format of
all audit event records in an HTML file.

The -a option
lists all audit event record formats. The -h option puts the
list in HTML format that can be displayed in a browser.

% auditrecord -a -h > audit.events.html

When you display the *html file in a browser, use
the browser's Find tool to find specific records.

Example 30–23 Displaying the Audit Record Formats of a Program

In this example, the format of all audit records that are generated
by the login program are displayed. The login programs
include rlogin, telnet, newgrp,
role login to the Solaris Management Console, and Solaris Secure Shell.

How to Merge Audit Files From the
Audit Trail

By merging all audit files in all the audit directories, you can
analyze the contents of the entire audit trail. The auditreduce command
merges all the records from its input files into a single output file. The
input files can then be deleted. When the output file is placed in a directory
that is named /etc/security/auditserver-name/files, the auditreduce command
can find the output file without your specifying the full path.

Note –

This procedure applies only to binary audit records.

Assume a role that includes the Audit Review profile, or become
superuser.

The System Administrator role includes the Audit Review
profile. You can also create a separate role that includes the Audit Review
profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

Change
directories to the audit-trail-directory and merge
the audit records into a file with a named suffix. All directories that are
listed in the dir lines of the audit_control file
on the local system are merged.

# cd audit-trail-directory
# auditreduce -Uppercase-option -O suffix

The uppercase options
to the auditreduce command manipulate files in the audit
trail. The uppercase options include the following:

Example 30–26 Moving Audit Files to a Summary File

The -D option to the auditreduce command deletes an
audit file when you copy it to another location. In the following example,
the complete audit files from one system are copied to the summary directory
for later examination.

The audit files from the example1 system that were
the input to the *daily_example1 file are removed when
this command successfully completes.

How to Select Audit Events From the
Audit Trail

You can filter audit records for examination. For the complete
list of filtering options, see the auditreduce(1M) man page.

Assume a role that includes the Audit Review profile, or become
superuser.

The System Administrator role includes the Audit Review
profile. You can also create a separate role that includes the Audit Review
profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

Select the kinds of records that you want from the audit trail,
or from a specified audit file.

auditreduce -lowercase-optionargument [optional-file]

argument

Specific argument that a lowercase option requires. For example,
the -c option requires an argument of
an audit class, such as ua.

-d

Selects all of the events on a particular date. The date format
for argument is yyymmdd.
Other date options, -b and -a, select events
before and after a particular date.

-u

Selects all of the events attributable to a particular user.
The argument is a user name. Another user option, -e, selects all of the events attributable to an effective user ID.

-c

Selects all of the events in a preselected audit class. The argument is an audit class name.

-m

Selects all of the instances of a particular audit event.
The argument is an audit event.

optional-file

Is the name of an audit file.

Example 30–27 Combining and Reducing Audit Files

The auditreduce command
can eliminate the less interesting records as it combines the input files.
For example, you might use the auditreduce command to retain
only the login and logout records in audit files that are over a month old.
If you need to retrieve the complete audit trail, you could recover the trail
from backup media.

The merged nasumm audit file is time stamped with
the beginning and ending date of the na records.

Example 30–29 Finding Audit Events in a Specified Audit File

You can select audit files manually to search just the named set of
files. For example, you can further process the *nasumm file
in the previous example to find system boot events. To do so, you would specify
the file name as the final argument to the auditreduce command.

The 20030827183214.20030827183214.systemboot file
contains only system boot audit events.

Example 30–30 Copying One User's Audit Records to a Summary File

In this example, the
records in the audit trail that contain the name of a particular user are
merged. The -e option finds the effective user. The -u option
finds the audit user.

$ cd /var/audit/audit_summary.dir
$ auditreduce -e tamiko -O tamiko

You can look for specific
events in this file. In the following example, what time the user logged in
and out on Sept 7, 2003, your time, is checked. Only those files with the
user's name as the file suffix are checked. The short form of the date is yyyymmdd.

# auditreduce -M tamiko -O tamikolo -d 20030907 -u tamiko -c lo

Example 30–31 Copying Selected Records to a Single File

In this example, login and logout messages for a particular day are
selected from the audit trail. The messages are merged into a target file.
The target file is written in a directory other than the normal audit root
directory.

How to View the Contents of Binary
Audit Files

The praudit command enables you to view the contents
of binary audit files. You can pipe the output from the auditreduce command,
or you can read a particular audit file. The -x option is
useful for further processing.

Assume a role that includes the Audit Review profile, or become
superuser.

The System Administrator role includes the Audit Review
profile. You can also create a separate role that includes the Audit Review
profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

Use one of the following praudit commands to
produce the output that is best for your purposes.

The following
examples show praudit output from the same audit event.
Audit policy has been set to include the sequence and trailer tokens.

The praudit -s command displays audit records
in a short format, one token per line. Use the -l option to
place each record on one line.

Troubleshooting

How to Clean Up a not_terminated Audit File

Occasionally, an audit daemon exits while its audit file is still open.
Or, a server becomes inaccessible and forces the machine to switch to a new
server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for
audit records. Use the auditreduce -O command to give the
file the correct timestamp.

List the files with the not_terminated string
on your audit file system in order of creation.

# ls -R1t audit-directory*/files/* | grep not_terminated

-R

Lists files in subdirectories.

-t

Lists files from most recent to oldest.

-1

Lists the files in one column.

Clean up the old not_terminated file.

Specify the name of the old file to the auditreduce -O command.

# auditreduce -O system-name old-not-terminated-file

Remove the old not_terminated file.

# rm system-name old-not-terminated-file

Example 30–35 Cleaning Up Closed not_terminated Audit Files

In the following example, not_terminated files are
found, renamed, then the originals are removed.

The start timestamp on the new file reflects the time of the first audit
event in the not_terminated file. The end timestamp reflects
the time of the last audit event in the file.

How to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the
following:

Set up a schedule to regularly archive audit files.

Archive
audit files by backing up the files to offline media. You can also move the
files to an archive file system.

If you are collecting text audit
logs with the syslog utility, archive the text logs. For
more information, see the logadm(1M) man
page.

Set up a schedule to delete the archived audit
files from the audit file system.

Save and store auxiliary information.

Archive information
that is necessary to interpret audit records along with the audit trail.

Keep records of which audit files have been archived.

Store the archived media appropriately.

Reduce the volume of audit data that you store by creating summary
files.

You can extract summary files from the audit trail by using
options to the auditreduce command. The summary files contain
only records for specified types of audit events. To extract summary files,
see Example 30–27 and Example 30–31.